Sergio Lopez is a user on mstdn.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.

Sergio Lopez @slp@mstdn.io

I'm honestly surprised that I haven't yet seen a kernel patch implementing a tunable forbidding the scheduler from putting two vCPUs in sibling SMT cores.

If I had the time (which I don't), I would definitely consider writing my own PoC, based on the one described in the paper, and then fiddling around with small variations.

I'm starting to think there's something we haven't been told about Spectre #2. Real world exploitation seems _really_ hard, specially across domains, but still everyone involved is very worried about it. 🤔

Never been a fan of x86, but the amount of kludge we're adding to deal with Spectre #2 sets a new world record on ugliness. lkml.iu.edu/hypermail/linux/ke

PSA: Don't manipulate containers while listening to "Pickle Rick! Remix". I've just tried to "dicker" something.

Sergio Lopez boosted

@slp
1. It's actually 'PAW' Patrol and not 'Paw' Patrol, being an acronym for 'Pups At Work'.
2. The PAW Patrol is likely a charity-funded volunteer service, like some real life emergency services.
3. PAW Patrol is technically a mecha anime. Think about it carefully.

Being a parent makes you wonder about the biggest, hardest questions in life. Like, does the Paw Patrol work as a government sponsored service, or is it a premium service offered by some insurance companies?

Google being a bro here. Kudos to them.

My wife just told me that's not what normal people do. I guess she's right. Probably most of you have been backporting the x86/pti branch.

Woke up early this morning (couldn't sleep), so I did what normal people do, and backported upstream's IBRS patches to Fedora's kernel. t.co/AG1sdHoxJd

TIL ProjectAtomic's libpod allows you to easily manage containers from your own code. Cool! github.com/projectatomic/libpo

Sergio Lopez boosted

@slp

I tested it on Chrome (with site isolation feature activated) on OpenBSD and is not vulnerable, but my IDS (Suricata) with the ET/Snort updates rules for Spectre didn't detected anything at all. That's why even using an IDS I don't put too much trust on it, signature based detection is easily fooled.

Don't panic if your browser comes out as vulnerable, this is just a PoC. A real attacker would need to find a vulnerable function already present in the browser, and AFAIK none have been found so far (and I'm pretty sure there's a bunch of people looking for them 😉)

Here you can find a full JavaScript PoC to verify if your browser is vulnerable to attacks. Take a look at the source code too, is very readable. xlab.tencent.com/special/spect

"Controlling the Performance Impact of Microcode and Security Patches for CVE-2017-5754 CVE-2017-5715 and CVE-2017-5753 using Red Hat Enterprise Linux Tunables" (Meltdown and Spectre) access.redhat.com/articles/331

Sergio Lopez boosted

@maiki have you seen this Eelo project thing? Privacy centric LineageOS fork, designed to promote privacy respecting cloud services and a non profit org setup to host development, sell phones preloaded and host some open source cloud services that your also encouraged to self host. Being spun up by the founder of Mandrak Linux.

Might need to be added to one of your watch lists.

@slp This year I should upgrade my home server to some other ARM SoC with more processing power. And an upgrade on I/O bandwidth would be nice too.

Damn, I had to reduce the bandwidth of my Tor relay from 1MB/s to 250KB/s, as this RPi2 couldn't cope with the encryption load. Even with this change, CPU %user is barely under 100%.

Hm... so flannel with vxlan backend requires all endpoints to set an MTU equal or lower than 1450. Good to know.